Topic: making fake HW wallets(will we see this scam next)?? (Read 309 times)

What I found when I did big research of hardware wallets is that Buterino didn't use any malicious stuff in their wallets, it was similar components like in original trezor.
I don't have any of this mini-trezor devices myself so I can't confirm and be totally sure about this, and who knows what could happen after they stopped creating this devices.
I would not suggest using this devices as firmware is outdated, but I would be interested to hear if someone from bitcointalk forum owns them as collectible.

Maybe it's best if they don't buy them at all now.
Honestly, I would suggest anyone not to buy any Trezor wallets until they add open source secure element and fix issues they have (they are working on this).
I would never suggest ledger because they are closed source and they have countless issues with their devices, especially nono x.
Buying good used laptop and using it only offline for crypto wallets or with Tails OS is a good alternative, and you won't leak your data to crypto scammers.

I see Trezor has a new (for 2020) line of wallets  . Forgive me for this, but I am amused by the appearance of these devices and the creativity of the creators of the fake device. It was necessary to come up with a "Mini" for these Frankenstein freaks  .  They look like cheap chinese toys of the lowest quality.

P.S. I learned about these crafts only from this post and for me this is the news of the day. It would be nice to periodically remind about such fakes, as topics about them slide down and disappear from the field of view of their possible victims. And so, at least there is a chance that someone will see a warning about this and will stop them from doing stupid things.

Even that's not really needed because based on the info I received from Ledger's support team when I sent them those fake emails pretending I have various problems with the wallets, they are willing to replace broken devices even if they are out of warranty.

If they are based on Trezor's open-source code, you can check it yourself and everyone else could as well. But most people don't know how to do that. Open-source doesn't make those Russian Trezors safe, it just means that the code can be independently verified. So if it has something that shouldn't be there, it could be discovered. 

But do you know if anyone actually did a deep dive in to these things to see if there was any hidden stuff?  Would there be a way to easily hide malicious stuff inside these things?  This is of course why I preach to all my friends/clients to buy from the manufacturer directly.  ( I would def love to  have one of these fake trezor's as a collectible!)

This mini-trezors are not available anymore and they used different hardware components, but I don't think they were a scam and they used exact same software/firmware like original Trezor.
It was just a smaller Russian version on Trezor wallet and it would be cool to have it as a collectible, nothing more.
There are even DIY wallets with full instructions how to make your own device and 3d print the case, so it's not that hard.

Someone recently reported that many people are selling old and broken Ledger hardware wallets for cheap on ebay and other websites.
Maybe people buy them for spare parts but we know that ledger sold millions of this devices and they are all around the world.
It would not be so hard for scammers to purchase those device, refurbish them, make modifications and load their malware software.
Maybe they come in box packages, but they can always make new boxes and do better job in adding foil over them.

Everything about the package is sloppy. If you look at the photo of the letter which came with it, it is full of informal language and grammatical errors which you would not expect from an official document. The same goes for the set up guide.

They were targeted because their details were part of the Ledger database hack, so the attacker knew their name and address and knew they owned a Ledger device. But yes, receiving anything you aren't expecting through the mail should be a red flag. Just as you should never plug in a random USB drive you find or are given, you should never use a hardware wallet you find or are given - only use one you bought yourself directly from the manufacturer.

People who fall for scams, don't usually think straight or use common sense.

The information that came with those devices instructed the victims to use these brand-new devices because the old ones (the genuine ones) should no longer be trusted and aren't good enough. Something like that. They got info about their victims through the data leaks. But if you have a genuine copy of Ledger Live, you wouldn't be able to pair it with this fake device. Because only genuine Ledger HWs can be connected to Ledger servers on Ledger Live. You have to use their fake software. Essentially, this is the same thing as downloading or installing a fake Electrum wallet. Only this time, a hardware wallet is part of the deal. 

Someone who thinks straight would probably want to doublecheck this. It's only logical that Ledger would announce to their community that they are sending affected parties brand-new and improved devices. So you would check their website, blog, social media, etc. to find this information.

I fear what could happen if medical records of those who have been vaccinated leaked somewhere. I can only imagine how many people would inject themselves if they received a package with a vaccine instructing them to inject it in their leg, arm, buttocks, or whatever because the vaccines they were given previously have been proven to not be effective enough. This new self-injecting one we created is state of the line.

Thank you for sharing this link and comments.



Thanks for posting this info here. This will not only satisfy my curiosity, but may be useful for future Ledger buyers.

I am surprised by the quality of the blue film packaging. It immediately catches the eye and looks sloppy, poor quality and suspicious.

The person who received this device did not order it, but received it just like that? Those, this should already be alarming in such cases: you did not buy or order, but you received a device.

I could see this happening.  Take a look at these fake Trezors- https://bitcointalksearch.org/topic/trezor-wallet-fakes-to-be-aware-of-5227930

Yeah it happened and I have been writing all about that last year in one of my topics.
Packaging and case looked like original, they even had plastic cover (not that hard to make even at home), fake packaging bag, so newbies could fall for this trap easy.
Only difference was with fake instructions, inside of device pcb was different and fake software that was pre-loaded on device.
Experienced users and previous ledger owners would probably notice suspicious scam device and report it like one of them did.

You can read about it here: https://www.reddit.com/r/ledgerwallet/comments/o154gz/package_from_ledger_is_this_legit/

I'm not sure if anyone has lost funds to this attack.

Essentially it involves replacing the hardware inside a Ledger device with different hardware which causes the hardware wallet to behave like a simple mass storage device (essentially a USB drive). The scammers mail out these devices along with instructions telling people to connect their "hardware wallet", open the software on the mass storage device, and enter their seed phrase, all under the guise of "securing their coins" or some similar bullshit story. As soon as you enter your seed phrase, it is sent to the scammers and your coins are stolen.

So yes, while fake Ledger wallets exist in the wild (along with fake devices of several other brands of hardware wallets), they do not behave the same as a genuine hardware wallet and you have to be very naive to fall for them and ignore all the real advice, guides, and warnings which come with your genuine device and are on all the relevant hardware wallet manufacturer websites.

Do I understand correctly that there have already been cases with the substitution of fake ledger wallets? This is the first time I hear about it. Can you tell me where I can read about this incident? Were there people who lost their funds because of this?

This already happened before with fake ledger wallet that was looking exactly the same from outside, but from inside it was different and it was pre-loaded with fake ledger software already.
Nobody knows exactly how many people received this devices but we know that scammers used ledger amateurs leaked database with home addresses information.
With recent stupid changes ledger is making it's not even possible to verify if your device is genuine because they are gluing pcb with battery 

Those are cheap phishing scam and fake tech support that gets recycled all the time.
There are different level of scammers, lowlife and upper class, but biggest scam would be to just infiltrate one STM32 chip manufacturer that is used in most hardware wallets.

The issue is that you would have to:

1) Design and build a fake hardware wallet
2) Make software that will work with it
3) Sell it / give it away to have people use it
4) Have the source complex enough to get away with people not noticing what you are doing.

It's much quicker and easier to setup a scam coin or fake electrum site and drive people to it or a bad link to metamask or something else.

Could it be done? Yes.
Would it be worth it? Probably not.
If money was no object and you have a specific person / target in mind could you do do it? Yes

-Dave

YES pretty much

i know the HW would need a hard mod(ledgers easliy known for this)

on top of that a softwear mod to falsley display BTC wallet address that the scammer has control of

i mean make a fake a device thats is assumed to be 100% geuine(NOT FAKE)
but the guts are programed to display a fake SEDD then a fake wallet address(a scammer control address)

This "scam" isn't really any different to the one where certain paper wallet generators were giving out a set of pre-generated private keys known to the scammers.

It could just as easily be perpetrated using any type of wallet... web wallet, desktop wallet, mobile app or a "scam" hardware wallet.

The key is to ensure you have some way of ensuring that the addresses being displayed do indeed belong to the seed/private keys being generated. In the case of hardware wallets, having 2 from different manufacturers is certainly one way to be able to determine if the addresses being displayed are indeed correct for a given seed.

However, as someone else mentioned earlier... it doesn't really guarantee that the seed/private keys themselves are actually being randomly generated. For that, you'd probably need to generate your own seed (offline) using dice or something similar.

Never mind Amazon, you can't even rent $100 of computational capacity without filing a service limit increase request, and if you're not linking a credit card you got officially from a bank office then chances are you are going to be hit with an account suspension shortly after you commence the attack. Same goes for other cloud platforms near the size of AWS. A botnet is the most likely way to get power even remotely close to $1,000,000.

Sorry, the article was not written by me, but specialists from Trezor. It states that to brute force a passphrase of 10 characters, you will need to pay about $ 1,000,000 today. For 12 characters - $ 128,000,000. By renting servers on Amazon. Do you think this is insufficient protection? Or are you going to store hundreds of millions $ on one wallet?
For this attack, the attacker must know your seed and be prepared to invest huge amounts of money with dubious results.

Even if we assume there are 2.1 trillion 24-word BIP39 wallets with coins in them (as in, all 21 million bitcoin ever split up across 2.1 trillion wallets with only 1000 sats in each wallet), then you are still looking at a 1 in 5.5*10⁶⁴ chance of finding a collision. To find a single 10 character lowercase letter password is a 1 in 141,167,095,653,376 chance. The differences between these two numbers really cannot be overstated. That difference is comparable to the difference between a single atom and all the atoms in the entire world.

Using a passphrase of that strength is almost certainly going to be fine if your seed phrase is secured. But in our scenario here of a seed phrase which is known to an attacker, then it is simply not good enough. You are massively reducing your security.